b'Audit Report, \xe2\x80\x9cNASA\xe2\x80\x99s Information Technology Vulnerability Assessment Program\xe2\x80\x9d\n(IG-05-016, May 12, 2005)\n\nThe NASA Office of Inspector General conducted a review to determine whether NASA\nhad established an effective program to reduce unacceptable vulnerabilities in NASA\xe2\x80\x99s\ninformation technology (IT) systems.\n\nWe found that the NASA Chief Information Officer (CIO) had established an ongoing\nprocess to assess the most current vulnerability assessment tools available and used tools\nthat were most effective in the NASA environment. In addition, the CIO established\nformal requirements and guidance for scanning, accumulating, analyzing, and addressing\nidentified vulnerabilities and for reporting FY 2004 vulnerability data. However, our\nwork at four NASA Centers found that the Centers did not comply with the Vulnerability\nAssessment Program. Specifically, two Centers had not fully implemented the program\xe2\x80\x99s\nrequirements for scanning systems and none of the Centers had fully complied with the\nreporting requirements established by the NASA CIO. Management either took or was\nplanning to take corrective actions in response to our recommendations.\n\nThe report contains NASA Information Technology/Internal Systems Data that is not\nroutinely released under the Freedom of Information Act (FOIA). To submit a FOIA\nrequest, see the online guide.\n\x0c'